Infected JPEG not detected by NOD

Discussion in 'NOD32 version 2 Forum' started by Howard, Sep 24, 2004.

Thread Status:
Not open for further replies.
  1. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    As those who read slashdot or grc.security will know, AP4.jpg has been posted on the web (I am withholding a non-clickable link to this file from this post) supposedly to demonstrate the exploitation of the recent security alert/patch from Microsoft, specifically "MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution" . Whether it does, in fact, exploit this particular problem, I will leave to those far more knowledgeable about such matters than me. What it does do, is crash IE6 on all flavours of XP (patched or unpatched, irrespective of service packs).

    NOD32 detects nothing peculiar about this file, which I opened untroubled in Mozilla 1.7.3 and then downloaded to one of my hard drives. However, eScan AntiVirus Toolkit Utility with current updates identifies AP4.jpg as infected by "Exploit.IE.Crashsos" Virus.

    My understanding of the discussions about this matter is that it is a question of when, not if, infected JPEGs are produced that will fully exploit MS04-028 (McAfee already has been scanning for this http://vil.nai.com/vil/content/v_128461.htm). It is not clear to me that NOD is currently affording me protection from this. Before, rather than after the event would be preferable, I think :)
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    It's hard to argue with that logic. Before would be nice.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,789
    Location:
    Texas
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As Ron said, please send an email to support@nod32.com and place a link to this thread.

    If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    Let us know how you go… we are all interested to hear what the answer is...

    Cheers :D
     
  5. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    NOD32 - v.1.876 (20040924)

    Win32/JPEGexploit.A
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,789
    Location:
    Texas
    Thanks rumpstah

    Sure wish we could have a naming party and get them all the same.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It’s this part that worries me Rumpstah, which is dependant on when Howard scanned the file and what update he was using…

    Cheers :D
     
  8. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Excellent! It still does not detect the infection in the AP4.jpg that I mentioned, but I think that is because it is a quite different exploit. I will send the latter to support@nod32.com and place a link to this thread as has been suggested, but the more important impending threat, via MS04-028, is addressed by Win32/JPEGexploit.A
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,789
    Location:
    Texas
    Thanks Howard.
     
  10. Hum....

    Hum.... Guest

    So, the "advanced" heuristics are not detecting it?
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    This might be a stupid observation, but I do not think NOD scans jpeg's by default.... Do you have NOD set to scan all files?
     
  12. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    No, I have scanned it with everything switched on and with the latest definitions - 1.877 However, from what I can gather this particular file is not exploiting the MS04-028- Buffer Overrun in JPEG Processing (GDI+) flaw. While it was posted as though it might be doing so, it appears to be exploiting an older flaw as the affected module when IE crashes is mshtml.dll

    For those of you who may wish to examine this file, the original link was posted in the following message on slashdot:

    http://slashdot.org/comments.pl?sid=122855&cid=10327905
     
  13. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I have NOD set to scan everything including the kitchen sink :)
     
  14. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    From http://virusscan.jotti.dhs.org/

    ---------------------------------------------------------
    Service load: 0% 100%

    File: AP4.jpg
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: None

    AntiVir No viruses found (3.70 seconds taken)
    Avast No viruses found (9.42 seconds taken)
    BitDefender No viruses found (7.69 seconds taken)
    ClamAV No viruses found (26.36 seconds taken)
    Dr.Web No viruses found (12.44 seconds taken)
    F-Prot Antivirus No viruses found (0.75 seconds taken)
    F-Secure Anti-Virus No viruses found (9.64 seconds taken)
    Kaspersky Anti-Virus Exploit.IE.Crashsos (7.67 seconds taken)
    mks_vir No viruses found (2.68 seconds taken)
    NOD32 No viruses found (4.73 seconds taken)
    Norman Virus Control No viruses found (1.83 seconds taken)
    -------------------------------------------------------------

    From:
    http://www.virustotal.com/flash/index_en.html

    Results of a file scan
    This is the report of the scanning done over "AP4.jpg" file that VirusTotal processed on 09/25/2004 at 04:34:13.
    Antivirus Version Update Result
    BitDefender 7.0 09.24.2004 -
    ClamWin devel-20040822 09.23.2004 -
    Kaspersky 4.0.2.24 09.25.2004 Exploit.IE.Crashsos
    McAfee 4394 09.22.2004 -
    NOD32v2 1.877 09.25.2004 -
    Norman 5.70.10 09.24.2004 -
    Panda 7.02.00 09.24.2004 -
    Sybari 7.5.1314 09.25.2004 -
    Symantec 8.0 09.24.2004 -
    TrendMicro 7.000 09.23.2004 -



    VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about abailability and continuity of this service. Do not reply this message, it has been sent by an automated process that will not handle such responses. Even wh! en the detection rate given by the use of multiple antivirus engines is far superior to the one offered by only one product, this results DONT guarantee the harmlessness of a file. There is no such a solution that can offer a 100% rate of efectiveness recognizing virus and malware.

    -----------------------------------
     
  15. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    And, of course, the eScan AntiVirus Toolkit Utility - which I used to identify
    AP4.jpg as infected by "Exploit.IE.Crashsos" Virus - is based on the KAV scan engine and updates.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    ROFLMAO, damn where can I get your version of Nod? :D :D :D
     
  17. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Dunno, but it is based on your settings :)
     
  18. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Do not save the ap4.jpg file to the desktop. It makes a machine unbootable to the desktop (at least after about 5 minutes of waiting; glad I have test machines laying around ;) ). That was kind of fun. Of course if you go into safe mode and delete the file, it boots fine after that.
     
  19. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I have come across an interesting discussion on the file in question AP4.jpg, with the following being the most significant observation:

    "I just build the 6a JPEG library from the IJG sources and ran it on the
    AP4.jpg image through a debugger. The offending code writes data to a
    non-allocated buffer. I.e it writes to a pointer pointing out in space. That
    is NOT a buffer overrun issue.
    Moreover, what is written is the output from the inverse DCT. That is NOT
    executable code from an untrusted source. Hence it is not a security issue."

    The following link is to the message from which I have quoted.

    AP4.jpg discussion
     
  20. john smith

    john smith Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    59
    It still vexes me a bit that ESET's response to threats depends on whether it's a weekend or not. I understand staffing problems, but it seems that a
    worldwide-used AV program may need to ramp up its response ability.

    The offending jpg seems a relatively minor bit of malware, but this business of writing offending code into such a common file type is alarming.

    John
     
  21. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Another zoo virus. NOD32 stops malware infections. Remember that having a piece of malware on one's computer does not automatically mean it has executed. If a virus or other malware has not executed then no harm has happened. Sure we all do not want any malware, executed or non-executed, on our computers but the problem happens if a piece of malware executes. NOD32 stops in-the-wild virii from executing. Right?

    Best wishes
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    From what I understand, staffing levels are being looked at...

    It would be nice to see 24/7 support, in time I think this will have to happen, though it does take time to train staff...

    Cheers :D
     
  23. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Just a brief update. Apparently there is now a GDI+ jpeg exploiting virus in the wild. An analysis of where and how is given here http://www.easynews.com/virus.txt "THIS VIRUS IS NASTY!" I downloaded the zipped virus and checked it out with NOD32. Pleased to say AMON and NOD32 identify the contents of this file - possibleVirus.jpg - as Win32/Exploit.MS04-028 trojan Good to see NOD32 is on the ball, because it looks like this could be the first of many.
     
  24. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Good to see the IMON HTTP scanner stops this before downloading!


    9/27/2004 17:42:08 PM IMON archive Win32/Exploit.MS04-028 trojan connection terminated
     
  25. MNKid

    MNKid Guest

    In other words, 104 days each year they are not available. For an antivirus proggy, I really have to wonder if that's acceptable.

    NOD rocks and is getting more much-deserved recogntion every day. But with that, there comes more scrutiny. Time for Eset to step up and join the big-leagues. They are right on the cusp of making it big in the US, so hopefully they won't be a victim of their own success.
     
Thread Status:
Not open for further replies.